In this whitepaper, they use a HTTP server history (see screenshot) as the basis for the codename of an identified attack, "Operation Wocao".
The attackers (presumably APT20) were shown to be extremely competent technically. I was curious whether the use of a word like "wocao" is a reliable indicator of nationality.
In other articles, I have often seen nation-state actors leave misleading cultural/linguistic fingerprints in more obscure places than a webshell (code metadata, registrar email's backup email etc.), but presumably not in realtime.
In particular, I would like to know if (correctly) culturally-identifying phrases are known to have been obtained from realtime interaction by a nation-state attacker.
- Since such instances are likely to be guarded information, I refer only to publicly available information (e.g. white papers, incident reports, journalism)
